By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective 2.9: Given a scenario, configure appropriate security settings on small office/home office (SOHO) wireless and wired networks.
Both wireless and wired small office/home office (SOHO) networks are important to businesses of all sizes, as well as individual users. However, they represent significant vulnerabilities if they are not properly secured. The following sections explain how the different encryption methods work and detail the additional steps that must be taken to completely secure a wireless network. Home Router Settings To be secure and navigate the Internet safely in today’s world, specific security settings must be considered when installing and configuring a home router. The following are some important guidelines for SOHO wireless and wired networks. Change Default Passwords The documentation for almost all WAPs and wireless routers lists the default administrator password. This documentation can be readily downloaded in PDF or HTML form from vendor websites. Because an attacker can use this information to take over the device, it is essential to change the default to a private password. Most routers use the Administration or Management dialog for the password and other security settings. Tip: To further secure a router or WAP, configure the device so that it can be managed only with a wired Ethernet connection. IP Filtering Settings that control access to the network by analyzing IP traffic are known as Access Control Lists (ACLs). Basic settings on a SOHO are fairly easy to implement by simply knowing what types of IP protocols and traffic will be allowed. For example, many large networks deny ping traffic by filtering out ICMP protocol traffic on the networks. Traffic can be filtered by traffic type or by IP address. In general terms, IP filtering lets you control what Internet Protocol (IP) traffic is allowed into and out of your network. Firmware Updates Most SOHO router vendors issue at least one firmware update during the lifespan of each model of WAP and wireless router. Updates can solve operational problems and add features that enhance Wi-Fi interoperability, security, and ease of use. To determine whether a WAP or wireless router has a firmware update available, follow these steps: Step 1. View the device’s configuration dialogs to record the current firmware version. Also note the router’s model number and revision from the back or bottom of the device. Step 2. Visit the device vendor’s website to see whether a new version of the firmware is available. Step 3. Download the firmware update to a PC that can be connected to the device with an Ethernet cable. Step 4. Connect the PC to the device with an Ethernet cable. Step 5. Navigate to the device’s firmware update dialog. Step 6. Follow the instructions to update firmware. Content Filtering The IT department is responsible for compliance to the acceptable use policy of IT infrastructure, as well as making sure that inbound and outbound content is in line with expectations. Shielding the network from errant users who would exploit inappropriate content on the Web or in email is necessary. Content filters on routers help control access to inappropriate websites and can filter by address or other keywords of concern. These filters can be applied to both inbound or outbound traffic and, depending on the router, permit different levels of control for individual users. Physical Placement/Secure Locations In a SOHO network environment, physical security refers to preventing unauthorized use of the network. The same basics of physical security apply in a SOHO network in a large office environment: - Secure the network equipment in a locked wiring closet or room. - Disable any unused wall Ethernet jacks by either disabling their switch ports or unplugging the patch panels in the wiring closet. - Route network cables out of sight, in the walls and above the ceiling. Having them out of sight cuts down on the chances that someone will tap into the network. - Lock doors when leaving. - If possible, dedicate a lockable room as a workspace in a home office, to protect company devices and other resources from the hazards of daily family life, such as children and pets. Dynamic Host Configuration Protocol (DHCP) Reservations The DHCP server built into almost all home routers is responsible for giving out IP addresses to all computers on the network that request one. Restricting DHCP is one way to control access to the network. Most DHCP servers can reserve IP addresses for specific computers and other devices, such as printers, by mapping the device’s physical MAC address and matching it to a constant IP address. Dynamic Host Configuration Protocol (DHCP) reservations allow the network administrator to manage devices and control IP leases for outside users. These reservations can also be used on IP phones and IoT devices. Static IP addresses, configured by the network administrator and not DHCP, are still important for network stability. Devices such as switches, printers, and servers should have static addresses so that they are available when a DHCP server is down. Static WAN IP The wide area network on a SOHO is the connection to the Internet Service Provider (ISP). The static WAN IP address is provided by the ISP and is applied (usually automatically) to the “Internet” port on the router. The address is “static” because it does not change and does not expire as a leased dynamic address does. This address is on a different network from the local SOHO addresses because it belongs to the ISP’s router. Universal Plug and Play Universal Plug and Play (UPnP) was designed to allow devices on a home or SOHO local area network (LAN) to easily connect and cooperate with other devices on the LAN. As a similar example of Plug and Play, consider a printer being plugged into a computer: The Plug and Play capability of the OS finds a device driver and allows the device to interact. UPnP scaled up this idea to a LAN, to allow gaming devices, smart home IoT devices, and virtual assistants to work on a LAN. UPnP does not scale further up to enterprise networks. This benefit of easy setup of devices comes with security flaws. Especially concerning is the UPnP use of port forwarding and its lack of authentication. If it is exploited from the outside, port forwarding grants access to devices on the LAN; this should not be universally enabled, but it comes enabled by default on many routers. The best approach is to protect the SOHO LAN by disabling port forwarding and taking on the task of manually setting up devices on the SOHO LAN. Screened Subnet A screened subnet, formerly known by CompTIA as a demilitarized zone (DMZ), allows outside traffic through to a particular IP address on a LAN. In a SOHO router, any device assigned to the DMZ receives traffic that is not specified for a particular device. Using a DMZ host makes sense for gaming and other types of traffic when you cannot specify in advance the ports needed. However, the DMZ host must have its own firewall because DMZ hosts are not protected by the router firewall. Wireless-Specific Security The default settings for a wireless network should be changed to provide security. The following sections discuss these issues. Changing the Service Set Identifier (SSID) The service set identifier (SSID) can provide a great deal of useful information to a potential hacker of a wireless network. Every wireless network must have an SSID; WAPs and wireless routers typically use the manufacturer’s name or the device’s model number as the default SSID. If a default SSID is broadcast by a wireless network, a hacker can look up the documentation for a specific router or the most common models of a particular brand and then determine the default IP address range, the default administrator username and password, and other information that makes it easy to attack the network. To help “hide” the details of your network and location, a replacement SSID for a secure wireless network should not include any of the following: - Your name - Your company name - Your location - Any other easily identifiable information An SSID that includes obscure information (such as the name of your first pet) is a suitable replacement. Encryption Settings The importance of setting encryption to the latest possible standards is covered in “Wireless Security Protocols and Authentication.” The information there applies to SOHO networks as well because a SOHO can be set up as an extension of a business. In such a case, all security policies from the business should apply at the SOHO extension as well. Disabling SSID Broadcast Disabling SSID broadcast is widely believed to be an effective way to prevent a wireless network from being detected, and the A+ certification exam shares that opinion. But this approach is not always enough. Even though disabling SSID broadcast prevents casual bandwidth snoopers from finding your wireless network, Microsoft does not recommend disabling SSID broadcasting as a security measure because serious hackers can use certain methods to discover networks.
Figure illustrates a Linksys router configuration dialog in which several of these security recommendations have been implemented. Configuring a Router with Alternative SSIDs, WPA2 Encryption Enabled, and SSID Broadcast Disabled Disabling Guest Access The guest account in a wireless network is a potential security risk, so it should be disabled. If visitors need Internet access, a separate guest wireless network that does not connect to the business network is a good replacement. Changing Channels Wireless frequency channels can overlap with neighboring channels. If this happens, consider changing the channel to one that is farther away. You can also reduce the transmit power of the wireless channel being used, to limit access to a smaller area. This can help keep malicious outsiders or rogue employees from connecting to a SOHO router. Firewall Settings By default, most WAPs and wireless routers use a feature called Network Address Translation (NAT) to act as simple firewalls. NAT prevents traffic from the Internet from determining the private IP addresses that computers on the network use. However, many WAPs and wireless routers offer additional firewall features that can be enabled, including the following: - Access logs - Filtering for specific types of traffic - Enhanced support for VPNs See the router manufacturer’s documentation for more information about advanced security features. Figure below shows an example of firewall settings. Firewall Settings Port Forwarding/Mapping Use port forwarding (also known as port mapping) to allow inbound traffic on a particular TCP or UDP port or range to go to a particular IP address rather than to all devices on a network. A basic example is an FTP server that is internal to a LAN. The FTP server might have the IP address 192.168.0.250 and might have port 21 open and ready to accept file transactions (or a different inbound port could be used). Clients on the Internet that want to connect to the FTP server would have to know the IP address of the router, so the clients might connect with an FTP client using the IP address 68.54.127.95 and port 21. If an appropriate port-forwarding rule is in use, the router sees these packets and forwards them to 192.168.0.250:21, or whatever port is chosen. Many ISPs block this type of activity, but port forwarding is a common and important method in larger networks. Disabling Ports Blocking TCP and UDP ports, also known as disabling ports, is performed with a firewall app such as Windows Defender Firewall with Advanced Security. Hackers take advantage of unused ports sitting idle on a network, and disabling unnecessary ports makes it harder to access your domain.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.